b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n    Bureau of Industry and Security\n\n           FY 2009 FISMA Assessment of\n               BIS IT Infrastructure (BI)\n                                (BIS002)\n\n  Final Inspection Report No. OSE-19574/September 2009\n\n\n\n\n                             Office of Audit and Evaluation\n\x0c                                                       UNITED STATES DEPARTMENT OF COMMERCE\n                                                      Office of Inspector General\n                                                      Washington, D.C. 20230\n\n\n\n\nSeptember 30, 2009\n\nMEMORANDUM FOR: Daniel O. Hill\n                Acting Under Secretary for Industry and Security and\n                   Deputy UnderSecretary for Industry and Security\n\n\n\n\nFROM:                        Allen Crawley\n                                              ~c~~~\n                                                 ~\n                             Assistant Inspector General\n                                for Systems Acquisition and IT Security\n\nSUBJECT:                     Bureau of Industry and Security\n                             FY 2009 FISMA Assessment ofBIS IT Infrastructure (BI)\n                             (BIS002)\n                             Final Inspection Report No. OSE-19574\n\nThis report presents the results of our Federal Information Security Management Act\n(FISMA) review of BIS' continuous monitoring of security controls as part of the\ncertification and accreditation (C&A) process for the BIS IT Infrastructure (BIS002).\n\nWe found that BIS' continuous monitoring for BIS002 did not meet Department and\nFISMA continuous monitoring requirements. We found that continuous monitoring has\nnot been conducted since accreditation of the system in FY 2006 and that significant\nC&A deficiencies identified by the OIG in FY 2006 following C&A have not been\ncorrected. In addition, OIG's own assessment of selected security controls found\nnumerous vulnerabilities requiring remediation. Our findin s are of articular concern\nbecause BIS has categorized BI as a\n\n\n\nIn its response to our draft report, BIS did not dispute our findings but did not specifically\nindicate whether it agreed with our recommendations. After receiving BIS' s response, I\nspoke with BIS' acting chief information officer, who stated that BIS agreed with our\nfindings and recommendations. BIS' response is included in its entirety as appendix C.\n\nWe request that you provide us with an action plan describing the actions you have taken\nor plan to take in response to our recommendations within 60 calendar days of the date of\nthis report. A plan of action and milestones should be used to communicate the plan as\nrequired by FISMA.\n\x0cWe appreciate the cooperation and courtesies extended to us by your staff during our\nevaluation. If you would like to discuss any of the issues raised in this report, please call\nme at (202) 482-1855.\n\n\n\n\nAttachment\n\ncc:\t   Suzanne Hilding, chief information officer, U.S. Department of Commerce\n       Eddie Donnell, acting chief information officer, BIS\n       Raushi Conrad, director, System and Security Operations, BIS\n\x0c                     OIG FY 2009 FISMA Assessment\n\n\nListing of Abbreviated Terms and Acronyms\nBI            BIS IT Infrastructure System\nBIS           Bureau of Industry and Security\nC&A           Certification and Accreditation\nCIO           Chief Information Officer\n\n\nDISA          Defense Information Systems Agency\nFIPS          Federal Information Processing Standards\nFISMA         Federal Information Security Management Act of 2002\n\n\nIP            Internet Protocol\nIT            Information Technology\n\n\n\n\nNIST          National Institute of Standards and Technology\nNTP           Network Time Protocol\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nPOA&M         Plan of Action and Milestones\n\n\nSID           System Identifier\n\n\n\n\nTCP           Transmission Control Protocol\nUDP           User Datagram Protocol\n\n\n\n\n                                  Page 2\n\n\x0c                                   OIG FY 2009 FISMA Assessment\n\n\n  Synopsis of Findings\n\n      \xe2\x80\xa2   Continuous monitoring has not been conducted since the FY 2006 accreditation.\n\n      \xe2\x80\xa2   Significant certification and accreditation deficiencies previously identified by OIG\n          have not been corrected.\n\n      \xe2\x80\xa2   OIG assessments found vulnerabilities requiring remediation.\n\n  Conclusion\n      Since the BIS IT Infrastructure system (BI) was authorized to operate in June 2006, BIS\n      has not followed the Department\xe2\x80\x99s IT security policy and NIST requirements for securing\n      this              system. BIS has not conducted control assessments, assessed the\n      impact of configuration changes on the system, reported and corrected known\n      vulnerabilities, and addressed significant deficiencies identified in a previous OIG\n      evaluation conducted in FY 2006. As a result, the system owner has not provided the\n      authorizing official with assurance that the required controls are adequately protecting the\n      system and its information. Thus, BIS should not have reported to OMB and the\n      Department that annual assessments of security controls were conducted or that the\n      system was certified and accredited.\n\n\n\n\nSummary of BIS Response\n\nIn its response to our draft report, BIS did not dispute our findings but did not specifically indicate\nwhether it agreed with our recommendations.\n\nBIS explained that it will produce an action plan to address our recommendations, and its FY\n2010 President\xe2\x80\x99s Request will provide the resources needed to replace the system with a more\nsecure infrastructure.\n\nBIS\xe2\x80\x99 response is included in its entirety as appendix C of this report.\n\nOIG Comments\n\nAfter receiving BIS\xe2\x80\x99 response, OIG\xe2\x80\x99s assistant inspector general for systems acquisition and IT\nsecurity spoke with BIS\xe2\x80\x99 acting chief information officer, who stated that BIS agreed with our\nfindings and recommendations.\n\n\n\n\n                                                Page 3\n\x0c                               OIG FY 2009 FISMA Assessment\n\n\n\nIntroduction\n\n BI provides headquarters and 11 field offices with services that include e-mail, office\n automation, correspondence and assignment tracking, secure remote file access, export\n licensing storage, and management of BIS legal documents. At headquarters, BIS relies on\n the Department\xe2\x80\x99s network infrastructure to provide IT security services such as firewall\n protection, content monitoring and filtering, and network-based intrusion detection. BIS\xe2\x80\x99\n deputy under secretary for Industry and Security authorized BI to operate on June 26, 2006.\n\n Because BI processes              data, BIS has categorized it as a                system,\n which means that a security breach could be expected to have a\n        effect on organizational operations, organizational assets, or individuals.\n\n\n\n\n                                           Page 4\n\x0c                                  OIG FY 2009 FISMA Assessment\n\nFindings and Recommendations\n\n 1. Continuous Monitoring Has Not Been Conducted Since the FY 2006\n       Accreditation\n  Background: NIST SP 800-37 emphasizes that continuous monitoring is a critical aspect of\n  certification and accreditation (C&A) and requires four essential activities: (1) configuration\n  management and control of information system components, (2) security impact analyses of\n  changes to the system, (3) assessment of security controls, and (4) status reporting.\n\n  \xe2\x80\xa2\t    Configuration management and security impact analyses have not been conducted.\n         o\t Because system changes have not been managed, BIS system administrators\n              could not explain, and the system security plan did not describe\n\n\n          o\t The system inventory BIS provided does not accurately represent the current\n             operational system (see table 1).\n               \xc2\x83\t BIS told us that 31 system components have been removed from the\n                   accreditation boundary.\n                       \xe2\x80\xa2\t Twenty-two are still listed on the system inventory despite having\n                           been retired and disconnected from the network. Our assessments\n                           confirmed they are no longer connected.\n                       \xe2\x80\xa2\t Our assessments found nine of these system components to be\n                           connected, active, and accessible. BIS staff was not aware these\n                           components were still active and was unsure of the operational\n                           impact of removing them.\n                                o\n\n\n\n\n          o\t Although significant changes have been made to the system, the security plan\n             has not been updated since BI was last certified and accredited in 2006.\n               \xc2\x83 Effective security protection requires a clear understanding of changes to\n                   servers, workstations, laptops, and application software components.\n               \xc2\x83 Comprehensive implementation of security controls requires an accurate\n                   inventory of system components and applications.\n               \xc2\x83\t Security plans are required to be updated at least annually or when a\n                   significant system change is made.\n\n          o\t BIS did not conduct analyses to determine the security impact of system\n             changes.\n               \xc2\x83\t Analysis is required to determine if changes to the system affect the\n                   security controls currently in place, produce new vulnerabilities in the\n                   system, or generate requirements for new security controls.\n               \xc2\x83\t Security impact analysis is an essential risk management activity,\n                                                         .\n\n  \xe2\x80\xa2 Continuous assessment of security controls has not been done.\n     o\t BIS reported to the Department Chief Information Officer (CIO) that annual\n          assessments of security controls were conducted in FY 2007 and FY 2008.\n          However, BIS could not provide OIG with the assessment procedures used to\n\n\n                                              Page 5\n\x0c                               OIG FY 2009 FISMA Assessment\n\n\n         assess controls, assessment result artifacts, vulnerabilities identified by the\n         assessments, or any other evidence to support its claim that annual assessments\n         were conducted.\n      o\t Vulnerability scanning was conducted by the Department, but BIS could not provide\n         any evidence that the scanning results were analyzed or corrective actions were\n         taken.\n      o\t NIST emphasizes the importance of continuously assessing security controls to\n         ensure they are operating as intended and protecting the information system\n         appropriately.\n\n \xe2\x80\xa2\t   BIS management and staff have not used the plan of action and milestones (POA&M)\n      to manage known vulnerabilities.\n      o\t No POA&MS were created to address vulnerabilities since 2006.\n      o\t BIS also failed to add vulnerabilities known prior to C&A in 2006 to the POA&M.\n          These vulnerabilities include\n\n      o\t Some of the vulnerabilities BIS has not documented in a POA&M or corrected can\n         be remediated by administrative actions requiring minimal effort, such as the\n         following:\n\n\n\n\n      o\t BIS asserted that it does not use the POA&M to record vulnerabilities that are fixed\n         within 90 days of discovery or for which management accepts the associated risk.\n         However, BIS could not provide any evidence of vulnerabilities that were\n         remediated or for which risks were accepted.\n      o\t POA&Ms are required to track and manage system weaknesses and inform the\n         authorizing official of corrective actions needed, resources required, responsible\n         individuals, and scheduled completion dates.\n\nRecommendations\n\nBIS should\n\n 1.1 implement a change management methodology to approve system changes, conduct\n     security impact analyses of changes to the system, and update the system security\n     plan;\n\n 1.2 develop and conduct continuous monitoring assessments of selected NIST 800-53 \n\n     security controls using NIST SP800-53A as required by OMB; and \n\n\n 1.3 ensure that all known vulnerabilities are documented in the system\xe2\x80\x99s POA&M or that\n     the authorizing official is informed of and accepts the associated risk.\n\n\n\n\n                                           Page 6\n\x0c                              OIG FY 2009 FISMA Assessment\n\n\n\n2. Significant Certification and Accreditation Deficiencies Previously\n   Identified by OIG Have Not Been Corrected\n BI was certified and accredited June 26, 2006. OIG evaluated the C&A package as part of\n its FY 2006 Federal Information Security Management Act of 2002 (FISMA) evaluation and\n presented the following findings to BIS on March 7, 2007.\n\n \xe2\x80\xa2   OIG\xe2\x80\x99s evaluation found that certification testing did not adequately assess the required\n     security controls and that the authorizing official lacked information needed to make a\n     credible, risk-based decision on whether to authorize system operation. As a result, in\n     our FY 2006 FISMA report to OMB, we reported this system as not certified and\n     accredited. We presented the following significant deficiencies requiring management\n     attention:\n         o The system security plan did not clearly describe the system architecture,\n              component inventory, and implementation of security controls for a\n              system.\n         o Secure configuration settings for IT products were not established,\n              implemented, or assessed.\n         o Security control assessments were inadequate.\n                   \xc2\x83 Assessment results were not provided.\n                   \xc2\x83 Procedures to assess security controls were not applied to all system\n                      components.\n                   \xc2\x83 Controls were assessed by examining policy and interviewing staff\n                      rather than examining or testing the controls\xe2\x80\x99 implementation on\n                      system components.\n                   \xc2\x83 Vulnerability scanning did not assess all system components at\n                               and\n                   \xc2\x83 Penetration testing                                      was not\n                      performed.\n         o Contingency plan testing was not supported by evidence.\n\n \xe2\x80\xa2   In a memorandum dated March 19, 2007, BIS\xe2\x80\x99 IT security officer informed OIG\n     management that BIS had planned to reaccredit this system to address these\n     deficiencies, as well as significant changes made since the FY 2006 accreditation, by\n     December 2007. BIS\xe2\x80\x99 then-CIO, in an e-mail to OIG management on January 8, 2009,\n     stated that effort was not completed because of budget constraints.\n\n \xe2\x80\xa2   Since accrediting the system in FY 2006, BIS has not followed the Department IT\n     security policy and NIST requirements for maintaining and monitoring system security\n     controls.\n\n \xe2\x80\xa2   The system owner has not provided the authorizing official with assurance that the\n     required controls are adequately protecting the system and its information.\n\n \xe2\x80\xa2   BI\xe2\x80\x99s C&A expired on June 25, 2009. BIS is planning to migrate the information and\n     functionality of BI to a new system. This migration, however, may not be completed\n     until 2011 and is dependent on the development, deployment, and accreditation of the\n     new system. Currently, BIS has no formal plan to reaccredit the BI system.\n\n\n\n\n                                           Page 7\n\x0c                               OIG FY 2009 FISMA Assessment\n\n\nRecommendations\n\nBIS should\n\n 2.1 report to the Department that BI is not certified and accredited; and\n\n 2.2 \tmanage the security risks of operating BI until it is retired by assessing the\n      effectiveness of security controls, determining the remaining risks, developing and\n      implementing a plan of action and milestones to mitigate those risks, and reporting\n      regularly to the authorizing official and BIS\xe2\x80\x99 acting CIO concerning the status of\n      milestones.\n\n\n\n\n                                           Page 8\n\x0c                                    OIG FY 2009 FISMA Assessment\n\n\n\n3. OIG Assessments Found Vulnerabilities Requiring Remediation\nAs part of OIG\xe2\x80\x99s FY 2009 FISMA evaluation of the BIS IT Infrastructure, we assessed a\ntargeted set of system components to determine if selected security controls are properly\nimplemented on applicable IT products. We tailored our procedures to the infrastructure\xe2\x80\x99s\nspecific control implementations, and we performed vulnerability scanning using Nessus.\n\n  \xe2\x80\xa2       OIG assessments found this               system is not compliant with the Department\n          IT security policy or NIST SP 800-53 requirements (see table 2 for examples). Security\n          weaknesses we found include the following:\n\n\n\n\n      \xe2\x80\xa2     Using the Nessus vulnerability scanner, we found significant vulnerabilities including\n\n                                                                                         (see\n            table 3).\n\nRecommendation\n\n3.1 BIS should ensure the vulnerabilities we identified are added to the system\xe2\x80\x99s POA&M\n    and either remediated or accepted by the authorizing official.\n\n\n\n\n                                                Page 9\n\x0c                                                       OIG FY 2009 FISMA Assessment\n\n\n\nTable 1. System Components Not Properly Managed or Documented\nComponent Name IP Address             OIG Comments\n\n\n\n\n                              *\n                              *\n                              *           These components have been retired, but are still listed in the system inventory.\n                              *\n\n\n\n\n                              *\n                              *\n                              *\n                              *\n                              *\n                              *\n                              *\n\n\n\n                                          Although BI management claimed that these components had been retired from the system, they are\n                                          still active and accessible from the network.\n\n\n\n\n         *\n*All component IP addresses and names (including those labeled \xe2\x80\x9cUnknown\xe2\x80\x9d) are excerpts from the system inventory.\n\n\n\n                                                                   Page 10\n\n\x0c                                                    OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 2. Vulnerabilities Identified by OIG Assessments\n\n\n\n\n                                                              Page 11\n\x0c                                                    OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Vulnerabilities Identified by OIG Assessments\n\n\n\n\n                                                              Page 12\n\x0c                                                    OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Vulnerabilities Identified by OIG Assessments\nSecurity Control      NIST SP 800-53 Requirement                        Vulnerability\n\n\n\n\n                                                              Page 13\n\x0c                                                    OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Vulnerabilities Identified by OIG Assessments\nSecurity Control      NIST SP 800-53 Requirement                        Vulnerability\n\n\n\n\n                                                              Page 14\n\x0c                                                    OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Vulnerabilities Identified by OIG Assessments\nSecurity Control      NIST SP 800-53 Requirement                        Vulnerability\n\n\n\n\n                                                              Page 15\n\x0c                                                    OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Vulnerabilities Identified by OIG Assessments\nSecurity Control      NIST SP 800-53 Requirement                         Vulnerability\n\n\n\n\n                                                              Page 16\n\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\nTable 3. Vulnerabilities Identified by OIG Using the Nessus Vulnerability Scanner\nHost Name        Port                Vulnerability Description\n\n\n\n\n                                                                Page 17\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\nTable 3. Vulnerabilities Identified by OIG Using the Nessus Vulnerability Scanner\n\n\n\n\n                                                                Page 18\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\nTable 3. Vulnerabilities Identified by OIG Using the Nessus Vulnerability Scanner\nHost Name        Port                Vulnerability Description\n\n\n\n\n                                                                Page 19\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\nTable 3. Vulnerabilities Identified by OIG Using the Nessus Vulnerability Scanner\n\n\n\n\n                                                                Page 20\n\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\nAppendix A: Objectives, Scope, and Methodology\n\nTo meet the FY 2009 Federal Information Security Management Act (FISMA) reporting\nrequirements, we evaluated BIS\xe2\x80\x99 continuous monitoring activities for the BIS IT Infrastructure\nSystem (BI) since the system\xe2\x80\x99s accreditation in FY 2006.\nContinuous monitoring is a critical postaccreditation aspect of the security C&A process.\nEffective continuous monitoring programs require four activities:\n\n    \xe2\x80\xa2   configuration management and control of information system components\n    \xe2\x80\xa2   security impact analyses of changes to the system\n    \xe2\x80\xa2   assessment of security controls\n    \xe2\x80\xa2   status reporting\n\nNIST SP 800-53 notes that an effective continuous monitoring program results in ongoing\nupdates to the system security plan, the security assessment report, and the plan of action\nand milestones (POA&M)\xe2\x80\x94the three principle documents in the security accreditation\npackage. Through continuous monitoring, the authorizing official is kept apprised of the\nsecurity posture of the information system.\n\nThe objectives of our evaluation were to determine whether, as a result of continuous\nmonitoring, (1) the authorizing official is kept sufficiently informed about the operational status\nand effectiveness of security controls, and (2) the agency promptly mitigates any identified\ncontrol deficiencies. We also sought to determine whether BIS has resolved the C&A\ndeficiencies we identified in our FY 2006 FISMA evaluation.\n\nTo evaluate BIS\xe2\x80\x99 continuous monitoring efforts, we interviewed BIS staff to determine what\ncontinuous monitoring activity had been performed and to gain further insight on the extent of\nthe security control monitoring. We requested security control monitoring results and\nevidence; however, BIS was unable to provide any. We also requested an updated system\nsecurity plan and POA&M to determine if continuous monitoring reporting was adequately\nperformed, but BIS indicated neither had been updated.\n\nIn addition, we performed our own assessments of a selected set of security controls (see\nappendix B) on a targeted set of IT components. We conducted our assessment using a\nsubset of procedures from NIST SP 800-53A, which we tailored to BI\xe2\x80\x99s specific control\nimplementations. We did not attempt to perform a complete assessment of each control;\ninstead we chose to focus on specific technical and operational elements. We assessed\ncontrols on key classes of IT components, choosing a targeted set of components from each\nclass that would represent the type of components implemented in the system. We also\nassessed control implementations on                                                        as\nwell as\n                 . In addition, we examined the security plan descriptions, including related\npolicy documents, and interviewed appropriate BIS personnel.\n\nOur assessments included the following activities:\n\n    \xe2\x80\xa2   extraction, examination, and verification of system configurations\n    \xe2\x80\xa2   generation of system events and examination of system logs\n    \xe2\x80\xa2   execution of the automated vulnerability scanning tool Nessus\n    \xe2\x80\xa2   execution of Defense Information Systems Agency (DISA) scripts to assess secure\n        configuration settings for IT products\n    \xe2\x80\xa2   addition, modification, and deletion of accounts\n\n\n\n                                             Page 21\n\x0c                              OIG FY 2009 FISMA Assessment\n\n\nOur assessment was limited in scope and should not be interpreted as the comprehensive\nreview that a security certification for a        system would require. However, our\nassessments gave us direct assurance of the status of select aspects of important system\ncontrols.\n\nWe used the following review criteria:\n   \xe2\x80\xa2\t Federal Information Security Management Act of 2002 (FISMA)\n   \xe2\x80\xa2\t U.S. Department of Commerce IT Security Program Policy and Minimum \n\n      Implementation Standards, June 30, 2005 \n\n   \xe2\x80\xa2\t NIST Federal Information Processing Standards (FIPS)\n           o\t Publication 199, Standards for Security Categorization of Federal Information\n                and Information Systems\n           o\t Publication 200, Minimum Security Requirements for Federal Information and\n                Information Systems\n   \xe2\x80\xa2\t NIST Special Publications:\n           o\t 800-18, Guide for Developing Security Plans for Information Technology\n                Systems\n           o\t 800-37, Guide for the Security Certification and Accreditation of Federal\n                Information Systems\n           o\t 800-53, Recommended Security Controls for Federal Information Systems\n           o\t 800-53A, Guide for Assessing the Security Controls in Federal Information\n                Systems\n           o\t 800-70, Security Configuration Checklists Program for IT Products\n           o\t 800-115, Technical Guide to Information Security Testing and Assessment\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as\namended, and the Quality Standards for Inspections (revised January 2005) issued by the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency.\n\n\n\n\n                                          Page 22\n\x0c                             OIG FY 2009 FISMA Assessment\n\n\n\nAppendix B: NIST SP 800-53 Security Controls Assessed by OIG\n\n  \xe2\x80\xa2   Account Management (AC-2)\n  \xe2\x80\xa2   Access Enforcement (AC-3)\n  \xe2\x80\xa2   Least Privilege (AC-6)\n  \xe2\x80\xa2   Unsuccessful Login Attempts (AC-7)\n  \xe2\x80\xa2   System Use Notification (AC-8)\n  \xe2\x80\xa2   Session Lock (AC-11)\n  \xe2\x80\xa2   Auditable Events (AU-2)\n  \xe2\x80\xa2   Audit Monitoring, Analysis, and Reporting (AU-6)\n  \xe2\x80\xa2   Time Stamps (AU-8)\n  \xe2\x80\xa2   Protection of Audit Information (AU-9)\n  \xe2\x80\xa2   Audit Record Retention (AU-11)\n  \xe2\x80\xa2   Configuration Settings (CM-6)\n  \xe2\x80\xa2   Least Functionality (CM-7)\n  \xe2\x80\xa2   User Identification and Authentication (IA-2)\n  \xe2\x80\xa2   Device Identification and Authentication (IA-3)\n  \xe2\x80\xa2   Authenticator Management (IA-5)\n  \xe2\x80\xa2   Rules of Behavior (PL-4)\n  \xe2\x80\xa2   Flaw Remediation (SI-2)\n  \xe2\x80\xa2   Malicious Code Protection (SI-3)\n\n\n\n\n                                        Page 23\n\x0c                                                    UNITED STATES DEPARTMENT OF COMMERCE\n                                                    Under Secretary for Industry and Security\nAppendix C: BIS Response                            Washington, D.C. 20230\n\n\n                                                                SiP Z5 Z009\n\n MEMORANDUM FOR ALLEN CRAWLEY\n                Assistant Inspector General\n                for Systems Acquisition and IT Security\n\n FROM:               L Daniel O. Hil~\n                     U Acting Under Secretary\n SUBJECT:                 Draft Inspection Report No. OSE-195754: FY 2009\n                          FISMA Assessment ofBIS IT Infrastructure (BI) (BIS002)\n\n\n Thank you for the opportunity to comment on the above-referenced draft OIG Report.\n As we discussed prior to the entrance conference for this inspection, the improvement of\n the Bureau's infrastructure and enterprise architecture is and remains a high priority. The\n findings and recommendations from the draft OIG Inspection Report have been reviewed\n and BIS does not dispute the findings.\n\n To ensure compliance moving forward, BIS will produce an action plan to not only\n address the OIG recommendations for BI but include those recommendations into the\n operation, monitoring and maintenance of the new infrastructure. As we also discussed\n previously, recent budget constraints and competing priorities for limited resources have\n impeded compliance with critical aspects of certification and accreditation. However, I\n want to assure the OIG that the requirements have been identified and the FY 2010\n President's Request will provide the resources needed to replace the BIS IT Infrastructure\n (BI002) with a more secure infrastructure. The implementation of the new\n Compartmentalized Application Infrastructure will enable the Bureau to follow the\n Department's IT security policy and NIST requirements.\n\n If you have any questions comments on our response, please contact Eddie Donnell, BIS'\n Acting Chief Information Officer, at (202) 482-4296.\n\n\n cc: Suzanne Hilding\n     DOC Chief Information Officer\n\x0c"